[Openvpn-users] VPN without encryption and auth
Hi All, I am considering to setup OpenVPN without encryption and packet authorization, as a way to lower the VPN overhead, by using the following directives: cipher none auth none Apart from having the tunneled traffic on the clear, since now it will not be encrypted, what other implications are there for going like this? My main concern for this setup is not the encryption, but low overhead. FYI, when testing standard VPN setup, with AES-128-CBC cipher and auth enabled, + lzo compression, I was receiving 14 - 18% VPN overhead on top the total udp traffic observed on WAN. When disabling encryption and auth, I received 6% overhead. Thanx in advance for your feedback. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN compression ratio
Thank you Selva. I confirm I can read those values from client side. On Fri, Jul 21, 2017 at 4:01 AM, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Thu, Jul 20, 2017 at 5:51 PM, Abi Askushi <rightkickt...@gmail.com> > wrote: > >> Hi Selva, >> >> I have already enabled status file and I am getting the following: >> >> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since >> TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39 2017 >> >> It seems that it has only two values for bytes received and sent. >> I am using OpenVPN 2.2. Is this a feature provided from later VPN >> versions? >> > > I was referring to status on client. On server, compression stats is not > included in the status output. Debug level info on compression stats is > printed to the log at verb=9 but that may be too verbose to be useful for > regular stats collection. > > As for 2.2, its very old -- upgrade. > > Selva > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN compression ratio
I am getting the following values and I am a bit confused as they don't add up: OpenVPN STATISTICS Updated,Fri Jul 21 07:12:57 2017 TUN/TAP read bytes,527859 TUN/TAP write bytes,678807 TCP/UDP read bytes,804077 TCP/UDP write bytes,702449 Auth read bytes,678807 pre-compress bytes,140358 post-compress bytes,131343 pre-decompress bytes,80635 post-decompress bytes,127443 END I understand the following. Please correct me if I am wrong: TUN/TAP read bytes,527859 : bytes received in tun interface (download) TUN/TAP write bytes,678807: bytes sent in tun interface (upload) TCP/UDP read bytes,804077: bytes received on WAN interface (this includes VPN encapsulation) TCP/UDP write bytes,702449: bytes sent on WAN interface (this includes VPN encapsulation) Auth read bytes,678807: ??? pre-compress bytes,140358: bytes to be sent in tun interface before they are compressed (upload) post-compress bytes,131343: bytes to be sent in tun interface after they are compressed (upload) pre-decompress bytes,80635: bytes received in tun interface before they are decompressed (download) post-decompress bytes,127443: bytes received in tun interface after they are decompressed (download) Why the values reported at the compression stats are so different from TUN/TAP values? Don't they refer to the same payload traffic of VPN? Thanx, Abi On Fri, Jul 21, 2017 at 10:02 AM, Abi Askushi <rightkickt...@gmail.com> wrote: > Thank you Selva. I confirm I can read those values from client side. > > > On Fri, Jul 21, 2017 at 4:01 AM, Selva Nair <selva.n...@gmail.com> wrote: > >> Hi, >> >> On Thu, Jul 20, 2017 at 5:51 PM, Abi Askushi <rightkickt...@gmail.com> >> wrote: >> >>> Hi Selva, >>> >>> I have already enabled status file and I am getting the following: >>> >>> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since >>> TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39 >>> 2017 >>> >>> It seems that it has only two values for bytes received and sent. >>> I am using OpenVPN 2.2. Is this a feature provided from later VPN >>> versions? >>> >> >> I was referring to status on client. On server, compression stats is not >> included in the status output. Debug level info on compression stats is >> printed to the log at verb=9 but that may be too verbose to be useful for >> regular stats collection. >> >> As for 2.2, its very old -- upgrade. >> >> Selva >> > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN compression ratio
Hi all, Do you know of any way that one could calculate the OpenVPN compression ration for a specific amount of traffic? Except from wireshark/tshark measurements that one may attempt, is it any other way that one could query this statistic perhaps from the openvpn service? Thanx, Abi -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN compression ratio
Hi Selva, I have already enabled status file and I am getting the following: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39 2017 It seems that it has only two values for bytes received and sent. I am using OpenVPN 2.2. Is this a feature provided from later VPN versions? Thanx, Abi On Fri, Jul 21, 2017 at 12:41 AM, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Thu, Jul 20, 2017 at 5:04 PM, Abi Askushi <rightkickt...@gmail.com> > wrote: > >> Hi all, >> >> Do you know of any way that one could calculate the OpenVPN compression >> ration for a specific amount of traffic? Except from wireshark/tshark >> measurements that one may attempt, is it any other way that one could query >> this statistic perhaps from the openvpn service? >> >> > The status output has the pre-compressed and post-compressed bytes info. > To get the status, either use "--status filename interval" in the config, > or send SIGUSR2 to the running process (status output goes to log), or > connect to the management interface and type status. > > Selva > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] VPN without encryption and auth
I would suggest to keep auth enabled, while having cipher none, to avoid DoS attacks. On Aug 6, 2017 11:35, "Yevgeny Kosarzhevsky"wrote: > > > On 2 August 2017 at 20:37, David Sommerseth topphemmelig.net> wrote: > >> >> Configuring OpenVPN without encryption is a peculiar use case I've >> seldom quite understood, except if you're doing some research on various >> crypto or network related scenarios. > > > OpenVPN without encryption or with weak encryption using '--auth none > --no-iv --no-replay' is still great tool for tunneling traffic over UDP > protocol. IPIP, L2TP or other known tunneling solutions may be blocked in > certain countries. This is the reason I would vote to keep no-iv option in > upcoming 2.5 release. > > -- > Regards, > Yevgeny > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] HA between two server on different sites.
There are several ways that pass to my mind though it depends from the exact requirements which would be the best approach: 1. Simple failover with multiple remote servers on the client side config. You can even put weights here. 2. Have the servers on a cloud provider that provides virtual ip failover between remote sites 3. Script your way. For exaple i had scripted a simple monitoring agent that his job was to open and close the vpn ports through iptables depending on the availability of the peer server (+ internet connectivity checks to avoid false positives) and have multiple server lines on the remote directive of client config. When you mention that you had problem with the tunnel routes what exactly was the problem? Is it related with ospf or vpn routes? Openvpn has up/down directives that you can use to trigger and run scripts to clean routes or do other tasks. On Jul 26, 2017 00:00, "Marcelo Moraes"wrote: Hi everybody. First of all, I'm sorry. This may be a very simple matter, but I'm not succeeding in solving it. I need to make a high availability between two openvpn servers that are in two different physical locations. I thought first of making a server and a client for each connection and propagating the routes through ospf. I also thought about creating two servers, and adding them to a single multi-line client with the remote command. What would be the best way to do this? Of these two forms mentioned above I am having problems with the tunnel routes, because if a server goes offline for some reason, when it returns, the openvpn service can not go up that route because there is already a same route through another path and then the server Error and stops. Any idea is welcome -- Atenciosamente Marcelo Moraes | Suporte TI Fone. 17-3330-5000 (ramal 5006) Skype. mmoraes.campofert -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN with LZ4
Hi All, I have compiled that latest openvpn 2.4.3, as below: apt-get install libpam0g-dev liblzo2-dev liblz4-dev ./configure --build=x86_64-linux-gnu --prefix=/usr --sysconfdir=/etc OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/ssl/include" --disable-debug --disable-dependency-tracking --with-crypto-library=openssl --enable-iproute2 make make install Then I created a deb file from the above. Do I need to install any LZ4 libraries on other devices where the resulting openvpn deb file is to be installed? I was thinking that Lz4 tools might not be needed and that LZ4 compression will be handled from the kernel. (When installing the deb file without installing any LZ4 user space tools I did not receive any warning or error and the VPN tunnnel was able to establish) Thanx, Abi -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with LZ4
Thanx Gert for the explanation. I get the following: ldd openvpn linux-vdso.so.1 => (0x7ffc2e1da000) libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x7fd04c672000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x7fd04c45c000) liblzo2.so.2 => /usr/lib/x86_64-linux-gnu/liblzo2.so.2 (0x7fd04c23b000) libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7fd04bfda000) libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7fd04bbe) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fd04b9dc000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fd04b64f000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7fd04b438000) /lib64/ld-linux-x86-64.so.2 (0x7fd04c88a000) Seems that lz4 is statically linked as is it not shown above and the deb file is sufficient to deploy this new update without installing any other packages. Thanx, Abi On Thu, Aug 24, 2017 at 10:08 PM, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > this is a question better suited for openvpn-devel, really... > > On Thu, Aug 24, 2017 at 08:12:13PM +0300, Abi Askushi wrote: > > apt-get install libpam0g-dev liblzo2-dev liblz4-dev > [..] > > Then I created a deb file from the above. > > > > Do I need to install any LZ4 libraries on other devices where the > resulting > > openvpn deb file is to be installed? > > That depends on whether liblz4-dev installs a shared library (liblz4.so) > or only a static library (liblz4.a). The static library is fully embedded > into the openvpn binary, so you do not need anything "extra" - for the > dynamic library, you'll likely need "liblz4" on the target system. > > > I was thinking that Lz4 tools might not be needed and that LZ4 > compression > > will be handled from the kernel. (When installing the deb file without > > installing any LZ4 user space tools I did not receive any warning or > error > > and the VPN tunnnel was able to establish) > > OpenVPN does not use kernel side compression. > > If you can start the openvpn binary, everything that is needed is there > (so, either liblz4.so was already there on the system, or it liblz4.a > was statically linked). > > You can find out running "ldd openvpn" on your openvpn binary - if > liblz4. shows up, it needs the dynamic library. Everything > that does *not* show up is built-in (or not a direct dependency). > > gert > > -- > USENET is *not* the non-clickable part of WWW! >// > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025g...@net.informatik.tu- > muenchen.de > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users